Pierluigi Paganini May 14, 2024

Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware.

New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.

The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past

In August 2021 the criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.

In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.

The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.

The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”

The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.

“Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”

To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:

1. Security Awareness Training: Engage in security awareness training to enhance defense mechanisms and recognize potential signs of malicious communications.
2. Password Management: Use strong, unique passwords and implement multi-factor authentication (MFA) whenever possible, prioritizing authentication apps or hardware tokens over SMS text-based codes.
3. System Updates: Keep systems updated and apply patches promptly after thorough testing to address vulnerabilities.
4. Endpoint Security: Install endpoint security solutions to fortify defenses against malware attacks.
5. Monitoring and Detection: Utilize monitoring and detection solutions to identify suspicious login attempts and abnormal user behavior.
6. Email Filtering: Implement email filtering solutions such as spam filters to block malicious messages. Reference the provided resources for establishing DMARC authentication.
7. Ransomware Mitigation: Refer to available resources for ransomware mitigation techniques and strategies.
8. Phishing Reporting: Report phishing emails and other malicious cyber activities to relevant authorities like the FBI’s IC3 and the NJCCIC.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phorpiex botnet)